Having a heck of a time geting DSC Script resources to work with alternate credentials. I’m open to any suggestions right now.
I have public/private certificates being used and am successfully encrypting credentials in my mof files, using a pull server. Passing the Credential parameter to a resource works fine on all other resources, however I am trying to automate some of my setup tasks using powershell scripts. It just doesn’t seem to work! Here is a small example script resource for testing and verification. :
Script Whodis { GetScript = { return @{ SetScript = $SetScript TestScript = $TestScript GetScript = $GetScript } } TestScript = { $false } # Always execute this script -- leave it up to script to be indempotent SetScript = ([String]{ whoami >> C:\test\whodis.txt }) }
Running that as is logs “nt authority\system” to the text file, as would be expected.
It also appears that this will only run once regardless of TestScript always returning false, which is not how I’d expect this to work. If TestScript returns true the script will never run, but if it returns false it will run SetScript a single time and never again until the checksum changes. In my mind if TestScript continues to return false, SetScript will continue to run. But that is a digression.
At this point everything is working like I’d expect, factoring in the single run. Get-DscConfiguration works and returns the expected results.
So now we add the Credential parameter, and everything starts getting funky:
Script Whodis { Credential = $Credential GetScript = { return @{ SetScript = $SetScript TestScript = $TestScript GetScript = $GetScript } } TestScript = { $false } # Always execute this script -- leave it up to script to be indempotent SetScript = ([String]{ whoami >> C:\test\whodis.txt }) }
Supposing ‘contoso\admin’ was the user specified by $Credential, the correct username is logged in the whodis.txt file, however now Get-DscConfiguration is busted:
Get-DscConfiguration : PowerShell provider MSFT_ScriptResource failed to execute Get-TargetResource functionality with error message: Failure to get the results from the script in a hash table format.
and I haven’t found anyway to fix that. Also, and this is the bigger issue for me, the script doesn’t have access to any network resources regardless of the permission level of the account specified. I’m assuming this is a “double-hop” issue, but I don’t know how to specify CredSSP for this. I can make it work by wrapping my SetScript code inside a “Invoke-Command” call and hard-coding the credentials, but that defeats the point of the public key encryption and I am unwilling to do it in production.
Any thoughts?
EDIT:
Sorry, I just read the FAQ and saw that I shouldn’t have replied to my own post. I apologize, I’m new to this community and did not read that prior to posting. I’d delete the second post if I could.